How can insurance firms counter phishing attacks?

Digital chief lifts the lid

How can insurance firms counter phishing attacks?


By Daniel Wood

In a recent cyber alert, the National Cyber Security Centre (NCSC) urged businesses in New Zealand to look out for a phishing campaign active since at least June 5. The attackers are using accounts to send emails to contacts, said the NCSC alert, “in an effort to redirect users to malicious websites and harvest credentials.”

One of the cyber challenges facing insurance firms, the guardians of troves of personal information, is how to prepare staff to avert this very common social engineering attack.

“Watch out for those emails and those texts,” said Roxanne Salton (pictured above).

Salton is currently transitioning from her role as chief digital officer (CDO) for Southern Cross Health Society, to CDO for TSB Bank. In a recent interview with Insurance Business, she discussed her cyber security strategy during her four plus years at the Auckland headquartered health insurance provider.

Training, testing and audits

“I think we've done a huge amount of training, improvements, testing and third-party audits,” she said. “We feel like we've got a good assurance – but I say this touching wood.”

Salton said her firm is “incessantly” sending phishing emails to staff as part of their internal training. However, as artificial intelligence (AI) technology improves she expects phishing attacks to get more challenging to stop.

Anti-phishing email training

One focus of this anti-phishing email training is making sure that staff remain vigilant and report emails that look suspicious.

“Sometimes people pass all the training and the awareness strategies but it's a moment of inattention – and then…” Salton said. “There’s always going to be something to battle with because we’re human beings – we're just not perfect.”

Text messages are also currently one of the more popular cyber attack methods, she said.

“We can see from the type of attacks that are going on in the marketplace in New Zealand that the attackers seem to have gone back to text messaging,” said Salton. “When the message makes you think it’s someone you need to ring up and they get your details from you that way.”

For example, texts suggesting the recipient has unpaid road tolls, mail that couldn’t be delivered or a bill that needs paying.

Despite the challenge of overcoming natural human gullibility, occasional inattentiveness and just plain curiosity, Salton said her staff do very well in phishing tests and compliance training.

Southern Cross Health Insurance also has a governance committee that keeps watch over cyber issues.

“This is where we share some of the different global vectors of attack that are happening,” she said. “We're thinking about how they would translate to us?”

Cyber training, she said, needs to be tailored towards this changing landscape.

“It's not a question of if, it's a question of when – and when it’s the when, are we ready?” said Salton.

If not now, when?

The CDO said that the COVID-19 pandemic a few years ago raised awareness around health data and its susceptibility to cyber attacks.

At that time, she said, many people were more concerned about their health and were active online using health related data. This proved, said Salton, to be “perfect territory” for cyber criminals.

“Criminals will always look for what opportunities they can get,” she said. “We've always been very aware of this threat.”

“We're not immune and we always think there's only so much you can do to prepare,” said Salton.

Since those attacks, she said her insurance firm aimed to strike the right balance between enabling staff and securing systems from attackers.

“Because you can shut down the whole business, get off the internet and you're probably still not going to be 100% secure – and you still need to run a business, right?” said Salton. “So we've really invested in a program of work that not only secures our platform but also does a lot of awareness and education.”

“How quickly can you shut it down?”

However, she said the reality is that the right controls and monitoring are not enough.

“You need training and awareness in terms of your people but also in terms of, if you get attacked, how quickly can you shut it down?” said Salton.

She said this approach is about improving the firm’s resilience and ability to quickly “isolate, remove and recover” from a cyber attack.

One important element, said Salton, is encouraging a “no blame culture.”

Staff are encouraged to refrain from opening any email they are uncertain about.

“We always say, ‘If in doubt, don’t,’” she said. “It's better to be safe than sorry, because nobody wants to be that person.”

Are you an insurance industry stakeholder? What would you say is key to a successful cyber attack prevention strategy? Please tell us below


Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!